Skip to content
This repository was archived by the owner on Oct 4, 2024. It is now read-only.

Commit ea815dc

Browse files
petherspethers
committed
Support checkov 2.1.160, 11 more terraform rules.
1 parent ef0360c commit ea815dc

6 files changed

Lines changed: 3207 additions & 2875 deletions

File tree

src/main/resources/cloudformation-checkov-terraform-rules.xml

Lines changed: 174 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -374,9 +374,9 @@
374374
</rule>
375375
<rule>
376376
<key>terraform-CKV_ALI_24</key>
377-
<name>Ensure Ram Account Password Policy Max Age less than/equal to 90 days</name>
377+
<name>Ensure RAM enforces MFA</name>
378378
<internalKey>terraform-CKV_ALI_24</internalKey>
379-
<description>Ensure Ram Account Password Policy Max Age less than/equal to 90 days</description>
379+
<description>Ensure RAM enforces MFA</description>
380380
<severity>CRITICAL</severity>
381381
<cardinality>SINGLE</cardinality>
382382
<status>READY</status>
@@ -522,6 +522,66 @@
522522
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
523523
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
524524
</rule>
525+
<rule>
526+
<key>terraform-CKV_ALI_34</key>
527+
<name>Ensure RDS instance is set to auto upgrade minor versions</name>
528+
<internalKey>terraform-CKV_ALI_34</internalKey>
529+
<description>Ensure RDS instance is set to auto upgrade minor versions</description>
530+
<severity>CRITICAL</severity>
531+
<cardinality>SINGLE</cardinality>
532+
<status>READY</status>
533+
<type>VULNERABILITY</type>
534+
<tag>security</tag>
535+
<tag>checkov</tag>
536+
<tag>terraform</tag>
537+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
538+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
539+
</rule>
540+
<rule>
541+
<key>terraform-CKV_ALI_35</key>
542+
<name>Ensure RDS instance has log_duration enabled</name>
543+
<internalKey>terraform-CKV_ALI_35</internalKey>
544+
<description>Ensure RDS instance has log_duration enabled</description>
545+
<severity>CRITICAL</severity>
546+
<cardinality>SINGLE</cardinality>
547+
<status>READY</status>
548+
<type>VULNERABILITY</type>
549+
<tag>security</tag>
550+
<tag>checkov</tag>
551+
<tag>terraform</tag>
552+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
553+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
554+
</rule>
555+
<rule>
556+
<key>terraform-CKV_ALI_36</key>
557+
<name>Ensure RDS instance has log_disconnections enabled</name>
558+
<internalKey>terraform-CKV_ALI_36</internalKey>
559+
<description>Ensure RDS instance has log_disconnections enabled</description>
560+
<severity>CRITICAL</severity>
561+
<cardinality>SINGLE</cardinality>
562+
<status>READY</status>
563+
<type>VULNERABILITY</type>
564+
<tag>security</tag>
565+
<tag>checkov</tag>
566+
<tag>terraform</tag>
567+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
568+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
569+
</rule>
570+
<rule>
571+
<key>terraform-CKV_ALI_37</key>
572+
<name>Ensure RDS instance has log_connections enabled</name>
573+
<internalKey>terraform-CKV_ALI_37</internalKey>
574+
<description>Ensure RDS instance has log_connections enabled</description>
575+
<severity>CRITICAL</severity>
576+
<cardinality>SINGLE</cardinality>
577+
<status>READY</status>
578+
<type>VULNERABILITY</type>
579+
<tag>security</tag>
580+
<tag>checkov</tag>
581+
<tag>terraform</tag>
582+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
583+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
584+
</rule>
525585
<rule>
526586
<key>terraform-CKV_ALI_38</key>
527587
<name>Ensure log audit is enabled for RDS</name>
@@ -4569,6 +4629,81 @@
45694629
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
45704630
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
45714631
</rule>
4632+
<rule>
4633+
<key>terraform-CKV_AWS_262</key>
4634+
<name>Ensure Kendra index Server side encryption uses CMK</name>
4635+
<internalKey>terraform-CKV_AWS_262</internalKey>
4636+
<description>Ensure Kendra index Server side encryption uses CMK</description>
4637+
<severity>CRITICAL</severity>
4638+
<cardinality>SINGLE</cardinality>
4639+
<status>READY</status>
4640+
<type>VULNERABILITY</type>
4641+
<tag>security</tag>
4642+
<tag>checkov</tag>
4643+
<tag>terraform</tag>
4644+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
4645+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
4646+
</rule>
4647+
<rule>
4648+
<key>terraform-CKV_AWS_263</key>
4649+
<name>Ensure App Flow flow uses CMK</name>
4650+
<internalKey>terraform-CKV_AWS_263</internalKey>
4651+
<description>Ensure App Flow flow uses CMK</description>
4652+
<severity>CRITICAL</severity>
4653+
<cardinality>SINGLE</cardinality>
4654+
<status>READY</status>
4655+
<type>VULNERABILITY</type>
4656+
<tag>security</tag>
4657+
<tag>checkov</tag>
4658+
<tag>terraform</tag>
4659+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
4660+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
4661+
</rule>
4662+
<rule>
4663+
<key>terraform-CKV_AWS_264</key>
4664+
<name>Ensure App Flow connector profile uses CMK</name>
4665+
<internalKey>terraform-CKV_AWS_264</internalKey>
4666+
<description>Ensure App Flow connector profile uses CMK</description>
4667+
<severity>CRITICAL</severity>
4668+
<cardinality>SINGLE</cardinality>
4669+
<status>READY</status>
4670+
<type>VULNERABILITY</type>
4671+
<tag>security</tag>
4672+
<tag>checkov</tag>
4673+
<tag>terraform</tag>
4674+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
4675+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
4676+
</rule>
4677+
<rule>
4678+
<key>terraform-CKV_AWS_265</key>
4679+
<name>Ensure Keyspaces Table uses CMK</name>
4680+
<internalKey>terraform-CKV_AWS_265</internalKey>
4681+
<description>Ensure Keyspaces Table uses CMK</description>
4682+
<severity>CRITICAL</severity>
4683+
<cardinality>SINGLE</cardinality>
4684+
<status>READY</status>
4685+
<type>VULNERABILITY</type>
4686+
<tag>security</tag>
4687+
<tag>checkov</tag>
4688+
<tag>terraform</tag>
4689+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
4690+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
4691+
</rule>
4692+
<rule>
4693+
<key>terraform-CKV_AWS_266</key>
4694+
<name>Ensure App Flow connector profile uses CMK</name>
4695+
<internalKey>terraform-CKV_AWS_266</internalKey>
4696+
<description>Ensure App Flow connector profile uses CMK</description>
4697+
<severity>CRITICAL</severity>
4698+
<cardinality>SINGLE</cardinality>
4699+
<status>READY</status>
4700+
<type>VULNERABILITY</type>
4701+
<tag>security</tag>
4702+
<tag>checkov</tag>
4703+
<tag>terraform</tag>
4704+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
4705+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
4706+
</rule>
45724707
<rule>
45734708
<key>terraform-CKV2_AWS_1</key>
45744709
<name>Ensure that all NACL are attached to subnets</name>
@@ -7521,6 +7656,42 @@
75217656
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
75227657
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
75237658
</rule>
7659+
<rule>
7660+
<key>terraform-CKV_AZURE_161</key>
7661+
<name>Ensures Spring Cloud API Portal is enabled on for HTTPS</name>
7662+
<internalKey>terraform-CKV_AZURE_161</internalKey>
7663+
<description>Ensures Spring Cloud API Portal is enabled on for HTTPS</description>
7664+
<severity>CRITICAL</severity>
7665+
<cardinality>SINGLE</cardinality>
7666+
<status>READY</status>
7667+
<type>VULNERABILITY</type>
7668+
<tag>security</tag>
7669+
<tag>checkov</tag>
7670+
<tag>terraform</tag>
7671+
<tag>owasp-a6</tag>
7672+
<tag>cweid-311</tag>
7673+
<tag>800-53-sc-8</tag>
7674+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
7675+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
7676+
</rule>
7677+
<rule>
7678+
<key>terraform-CKV_AZURE_162</key>
7679+
<name>Ensures Spring Cloud API Portal Public Access Is Disabled</name>
7680+
<internalKey>terraform-CKV_AZURE_162</internalKey>
7681+
<description>Ensures Spring Cloud API Portal Public Access Is Disabled</description>
7682+
<severity>CRITICAL</severity>
7683+
<cardinality>SINGLE</cardinality>
7684+
<status>READY</status>
7685+
<type>VULNERABILITY</type>
7686+
<tag>security</tag>
7687+
<tag>checkov</tag>
7688+
<tag>terraform</tag>
7689+
<tag>owasp-a6</tag>
7690+
<tag>cweid-732</tag>
7691+
<tag>800-53-ac-4</tag>
7692+
<remediationFunction>CONSTANT_ISSUE</remediationFunction>
7693+
<remediationFunctionBaseEffort>10min</remediationFunctionBaseEffort>
7694+
</rule>
75247695
<rule>
75257696
<key>terraform-CKV2_AZURE_1</key>
75267697
<name>Ensure storage for critical data are encrypted with Customer Managed Key</name>
@@ -11528,4 +11699,5 @@
1152811699
</rule>
1152911700

1153011701

11702+
1153111703
</rules>

src/test/java/com/hack23/sonar/cloudformation/CloudformationQualityProfileTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ public void defineTest() {
5252
final BuiltInQualityProfile qualityProfile = context.profile("terraform","Terraform(checkov) Rules");
5353
assertNotNull(qualityProfile);
5454
assertFalse(qualityProfile.isDefault());
55-
assertEquals(732,qualityProfile.rules().size());
55+
assertEquals(743,qualityProfile.rules().size());
5656
}
5757

5858
}

src/test/resources/checkov/azuredeploy.checkov-report

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,8 @@
314314
"short_description": null,
315315
"vulnerability_details": null,
316316
"connected_node": null,
317-
"guideline": "https://docs.bridgecrew.io/docs/bc_azr_networking_4"
317+
"guideline": "https://docs.bridgecrew.io/docs/bc_azr_networking_4",
318+
"details": []
318319
},
319320
{
320321
"check_id": "CKV_AZURE_3",
@@ -412,7 +413,8 @@
412413
"short_description": null,
413414
"vulnerability_details": null,
414415
"connected_node": null,
415-
"guideline": null
416+
"guideline": null,
417+
"details": []
416418
}
417419
],
418420
"failed_checks": [
@@ -732,7 +734,8 @@
732734
"short_description": null,
733735
"vulnerability_details": null,
734736
"connected_node": null,
735-
"guideline": "https://docs.bridgecrew.io/docs/bc_azr_logging_3"
737+
"guideline": "https://docs.bridgecrew.io/docs/bc_azr_logging_3",
738+
"details": []
736739
},
737740
{
738741
"check_id": "CKV_AZURE_23",
@@ -1046,7 +1049,8 @@
10461049
"short_description": null,
10471050
"vulnerability_details": null,
10481051
"connected_node": null,
1049-
"guideline": "https://docs.bridgecrew.io/docs/bc_azr_logging_2"
1052+
"guideline": "https://docs.bridgecrew.io/docs/bc_azr_logging_2",
1053+
"details": []
10501054
},
10511055
{
10521056
"check_id": "CKV_AZURE_36",
@@ -1144,7 +1148,8 @@
11441148
"short_description": null,
11451149
"vulnerability_details": null,
11461150
"connected_node": null,
1147-
"guideline": "https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access"
1151+
"guideline": "https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access",
1152+
"details": []
11481153
},
11491154
{
11501155
"check_id": "CKV_AZURE_35",
@@ -1242,7 +1247,8 @@
12421247
"short_description": null,
12431248
"vulnerability_details": null,
12441249
"connected_node": null,
1245-
"guideline": "https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny"
1250+
"guideline": "https://docs.bridgecrew.io/docs/set-default-network-access-rule-for-storage-accounts-to-deny",
1251+
"details": []
12461252
}
12471253
],
12481254
"skipped_checks": [],
@@ -1254,7 +1260,7 @@
12541260
"skipped": 0,
12551261
"parsing_errors": 0,
12561262
"resource_count": 7,
1257-
"checkov_version": "2.1.68"
1263+
"checkov_version": "2.1.160"
12581264
},
12591265
"url": "Add an api key '--bc-api-key <api-key>' to see more detailed insights via https://bridgecrew.cloud"
12601266
}

0 commit comments

Comments
 (0)